Product
An authenticated Tailscale user can bypass IP-based access controls, rate limiting, and manipulate audit logs by injecting arbitrary X-Forwarded-For or X-Real-IP headers into proxied requests via `tsdproxy`. This vulnerability stems from `tsdproxy`'s failure to strip these headers before forwarding them, allowing an attacker to spoof their source IP address. This is particularly impactful when `tsdproxy` is the sole enforcement point for backend services, enabling actions such as gaining unauthorized admin access to backend applications.